Is the hack more important than the hacked?

It's not very often that a company gets hacked and then agrees to talk about the incident, so when the finance director of a Sydney-based firm asked if I would be interested in writing a story about a security breach that cost him AU$9,000, I grabbed the opportunity.

The finance director, let's call him Ken, only realised there was a problem when his telephone provider called to say there had been an unusually high volume of international calls.

When he looked at the call logs he saw hundreds of outgoing calls to countries in Africa, South America and Eastern Europe. In just one week these calls had notched up a relatively massive bill.

Everyone I have spoken to about this hack -- including a vendor, reseller, security analyst and IT manager -- told me that these types of hacks happen all the time. They said that telephone switches are a relatively easy target because most companies don't see them as a risk and they rarely have the in-house skills to properly secure them.

Ken, who is not an IT guy, told me he had no idea this kind of thing was possible. His motivation for speaking to me was that he hoped other companies would learn from his experience and make sure that they didn't make it easy for criminals to take advantage of their PABX.

I agreed to keep his identity -- and the identity of the company -- hidden. Not because he was embarrassed about being exploited by fraudsters, but because he wanted the story to be about the hack, not the hacked company.

As it happens, the story seems to have struck a chord with ZDNet Australia readers as it has become one of the most popular stories this month.

Because of Ken's confession, there are most likely far fewer unsecured PABX systems out there. I wonder if the message -- secure your PABX -- would have been lost in the hype had it been widely known that the hacked company was the one responsible for running this site -- CNET Networks Australia?